By Jacques Erasmus
I’ve been having trouble sleeping lately, and last night I pinpointed why. October has presented me with a perfect storm of Internet security developments: I embarked on my first few weeks as chief information security officer for Webroot amidst the most significant consumer product launch the company has ever had.
These activities alone would’ve been enough to keep corporate security top of mind 24/7, but their occurrence during Cyber Security Awareness Month further drove it home for me. So I thought perhaps it may be cathartic for me, and helpful for you, if I shared some of the risk scenarios I’ve been thinking about, and best practices for protecting yourself and your organization from them.
Scenario One: Network-based infections.
Many organizations have solid standards for securing all of the desktop and laptop computers their employees use to locally and remotely access the corporate network. But all it takes is one contractor with an infected laptop to connect to the corporate network and expose sensitive corporate and customer information to malware. Think of it from a physical security aspect: like strangers in the building, you’d want to prevent rogue access points. The way we’re protecting ourselves at Webroot is by using our SecureAnywhere anti-malware technology to interface with network access control devices to ensure they’re clean before connecting to the network.
Scenario Two: Web app vulnerabilities.
SQL injections enable criminals to harvest passwords, bank account numbers and other personal information you may use for online transactions on seemingly safe sites. Man in the middle attacks — in which an attacker intercepts a communication between a customer and the server it’s intended to reach – are made possible by poor coding standards or poor input validation on web forms. Gaps like these enable injectors to change the fields where you enter your validation information in order to facilitate the heist. To the user, the site URL also may appear dodgy. Developers, it’s critical that you employ secure coding standards for web applications.
Scenario Three: Targeted Attacks.
This last scenario is more like a billion rolled into one; IT administrators as well as individual web users should have a healthy dose of concern about targeted attacks. Malware authors can customize Trojans for the specific environment they want to attack and the specific data they plan to steal, such as source code, financial information and customer data.
Advanced persistent threats like this typically penetrate organizations via social engineering tactics like spoofed emails that are designed to look like they’re coming from a trusted source. Employees who receive one of these emails and do what the message asks them to do are unwittingly triggering an exploit; clicking a link or opening a PDF, flash or QuickTime file leads to a drive-by download.
Here’s a real-world example that will give you a good idea of why the targeted attack is the most dangerous risk scenario of them all:
Bank tellers at a financial institution we were working with received an email under the name of someone at the company they knew and trusted. The email claimed their CEO was going to appear on TV and they’d need to register for a certain website in order to view the show online at their desks. A few of the tellers clicked a link in the email and landed on a website which told them to install a tool to view videos.
It turns out the tool the tellers installed was actually the SpyEye Trojan, and the criminal had done his homework. He knew this bank had an international wire transfer interface; he also knew that in order to use the bank’s wire transfer interface, you need to be inside the bank’s network to initiate the transfers, and you’d need to infect more than one teller because the bank uses dual control to enable a wire transfer. So infecting two employees was the ideal entry point.
While the tellers were working, the criminal created a second online session and made three very sizeable transfers to three remote geographies. And since the crime happened late on a Friday, the financial institution was unprepared to stop the transfers, ultimately losing thousands and thousands of dollars.
The good news is a number of measures can thwart this kind of attack:
IT administrators, keep in mind the easiest point of entry for a cybercriminal is your weakest link: Your employees. Educate your employees on spotting a fake.
Web users, if you’re online at work or at home and aren’t sure if the URL in a suspicious email is dangerous, check it out on whois.net or DomainTools.com. If you’re sending emails or transacting online outside of the office, make sure the sites you’re using are https websites. Otherwise your password can be sniffed on an unsecured network.